The present disclosure generally relates to inspecting a computer. More particularly, the present disclosure relates to a method for inspecting a host computer using a USB device as well as to a USB device for inspecting a host computer.
Techniques for inspecting computer systems have been studied for decades and, nowadays, a variety of tools are available that allow analyzing infected computer systems including, for example, software tools providing antivirus and malware detection and disinfection capabilities. Today, these tools have been widely adopted and are employed in various use cases to protect various kinds of systems against various types of malicious software.
Advanced tools available for inspecting a computer system not only provide capabilities for scanning an infected computer system for malicious software, but additionally provide capabilities for actively debugging an infected computer system while keeping the system running. Such tools allow monitoring the behavior of malicious software programs, for example, by monitoring respective processes running on an operating system and monitoring their communication by intercepting corresponding network traffic.
One such advanced inspection tool is Ramooflax, a free and open source virtualization tool delivered in the form of a minimalistic kernel acting as a hypervisor and allowing remote client access to the functions implemented in the hypervisor Ramooflax allows for injecting a hypervisor for the purpose of virtualizing an operation system which is already installed on a physical computer system. The underlying idea is to boot the hypervisor on the physical computer system from an external storage media, for example, a USB stick, and, once the hypervisor is initialized, to boot the already installed operation system within the virtualized environment provided by the hypervisor. In this way, it is possible to analyze the operating system through the hypervisor while the operating system itself is running in its native environment. For remote client access to the hypervisor functions, an external computer must be connected to the physical computer system using available interfaces, such as, for example, using the physical computer system's Ethernet port.
In general, it is an essential requirement of tools like Ramooflax that their operation should possibly not be detected by the malicious software being monitored so that the malicious software itself is not aware that it is under inspection. The use of common communication technologies for remote client access, such as Ethernet, however, makes the monitoring activity easily detectable because the malicious software itself can be adapted to monitor the communication interfaces of the physical computer system. Further, some computer systems only support a limited number of interfaces so that connecting to the hypervisor via remote client access may not be possible at all because all interfaces of the computer system may already be in use. In other cases, although required interfaces might be available at the computer system, there may be other constraints, such as space constraints in a limited space environment, that make connecting an external computer acting as a remote client impossible.